Did your Thermostat Take Down Netflix? The Dyn DDOS-IoT Connection

We’re pretty enthusiastic about the Internet of Things here at Deep Core Data. Some of our long time readers may have noticed that I jump at any chance to talk about the technology, and how, as an industry, it’s beginning to grow and evolve. But like all new technology, it’s not without its hiccups.

As it turns out, the DDOS attacks last Friday (October 21) were yet another “hiccup” in this year’s string of mishaps.

The cyberattack made against Dyn Inc, an Internet infrastructure company, took down a large amount of high profile websites, including Reddit, Amazon, and Netflix. Reports indicate that this may have been in part enabled by unprotected IoT devices. Over in China, a piece of malware known as Mirai has been hacking into vulnerable devices, connecting them together to form a botnet, then using them to launch Distributed Denial of Service attacks.

Dyn confirmed that devices from the Mirai botnet were a part of the attack, saying that “[they have] observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Hangzhou Xiongmai Technology, the vendor responsible for many of the devices used in the botnet, says they patched their firmware to protect against such security flaw back in September of 2015. However, older devices are still vulnerable, and many users have not changed their passwords from the default.

You see, the default username and passwords on IoT devices aren’t all that hard for hackers to guess. Sometimes, guesswork isn’t even all that necessary as some products list their default passwords online. This is ostensibly for customers who may need to reset their products, but don’t have the default password on hand, but this ready availability means users need to change their passwords.

This infographic from cmswire.com shows some of the ways that IoT devices are unsecured.

The Internet of Things has had security issues right from the beginning, and many experts are hoping this attack will encourage IoT companies to strengthen their security protocols. Suggestions have ranged from requiring users to change the password upon the first use to automatic updates to ensure that firmware is completely up to date. Improvements may take a while to roll out, but it’s not as if developers don’t know what they’re up against.

A black-hat hacker is a hacker who breaches computer security for the thrill. Thycotic.com’s infographic shows how they view themselves and their targets.

AT&T recently released research that shows that most companies are suffering from preventable attacks, and that many of the threats are neither new nor uncommon. According to the research, 90% of companies have experienced a malware attack, which is just as often caused by clicking on a bad link as it is by having gaps in security.

These threats are so common and well known that Flashpoint, the company that investigated Friday’s attacks on Dyn’s behalf, don’t believe that they were carried out by professionals. Although groups such as the New World Hackers have claimed to have carried out the attacks, Flashpoint has dismissed such claims in favor of the “script kiddies” that inhabit hackforums.net. The source code for the Mirai malware itself originated there, making it a likely starting point for an amateur hacker. It will also make the responsible party even harder to find.

Another reason why Flashpoint thinks it’s an amatuer hacker flexing their cybernetic muscles? A well-known (but currently unnamed) video game company was also targeted by the attacks on Friday. This, they feel, indicates that the attacks weren’t politically or even financially motivated, as the usual targets, such as BitCoin exchanges or strategic objectives, weren’t caught in the crossfire.

I’ve talked about ways to protect your computer in the past, and discussed why having a solid disaster recovery plan is so important, but I feel that Friday’s attacks and AT&T’s cybersecurity report really drive the point home. While IoT developers can do a better job of building in minimal security measures, the onus is still on the user to make sure they’re protecting their devices to the best of their ability. And the easiest way to do that?

Share This Story, Choose Your Platform!

Andrew is a technical writer for Deep Core Data. He has been writing creatively for 10 years, and has a strong background in graphic design. He enjoys reading blogs about the quirks and foibles of technology, gadgetry, and writing tips.